I quick Google search says that it’s due to Letsencrypt’s policy. Does anyone know if webroot challenges a possibility in the future?

The reason we would like to use the webroot method is we have a custom DNS server and it’s not practical to add/change txt records when it comes to getting and renewing ssl certs for all our mainy domains. Using a regular certs with subdomains is also not practical as the subdomains change often and more than what 1 cert can have.

I quick Google search says that it’s due to Letsencrypt’s policy. Does anyone know if webroot challenges a possibility in the future?

I would say probably not.

vnomura:

The reason we would like to use the webroot method is we have a custom DNS server and it’s not practical to add/change txt records when it comes to getting and renewing ssl certs for all our mainy domains. Using a regular certs with subdomains is also not practical as the subdomains change often and more than what 1 cert can have.

Have you considered creating an _acme-challenge CNAME record in your DNS zone pointing to some other DNS zone? Then you can use a completely separate DNS provider of your choice (or a tool like @joohoi’s acme-dns) to satisfy the Let’s Encrypt DNS challenges without having to make any further changes to your regular DNS zone.

Yes, that’s right. But the new DNS server doesn’t get a single one-time TXT record; rather, it has to support an API for your Let’s Encrypt client to perform updates to post the DNS record that the certificate authority asks it to each time a certificate is going to be issued.

My recent topic might be helpful. In short, it runs a DNS server whose only purpose is to serve TXT records for Let’s Encrypt domain validation, and which has an API that can (by way of a hook script that the author has also written) be made to work pretty smoothly with certbot.

How much time do I have from the time I request the wildcard cert and the time I have to make the txt record changes for the domain name?

7 days

vnomura:

Does something keey trying on LE’s end every x minutes?

No, Let’s Encrypt only checks the TXT record when an ACME client sends a request to the Let’s Encrypt server to “complete” the authorization.

For example, certbot and many other clients will print the token to the screen, and wait for you to press ENTER to verify it. With other clients like acme.sh, you can run one command to get a token and another one when it is ready to be checked.